EU Turns Up the Volume on Google Privacy Grumbling

Google's new privacy policy, which took effect Thursday, violates EU law, European Union Justice Commissioner Viviane Reding said on the BBC's Radio Four Thursday morning.

Google has rebuffed requests by the European Union privacy body to delay implementation of changes to the policy due to its concerns.

French data protection watchdog Commission Nationale de l'Informatique et des Libertes (CNIL) issued a letter to the search giant earlier this week, casting doubt on the legality of the private policy, and informing Google that it would lead a Europe-wide investigation.

"I support the French data protection authority's request to Google to delay the introduction of its new privacy policy until questions about the policy's compliance with EU data protection rules have been resolved," EU Justice Commissioner Viviane Reding said in a statement provided to the E-Commerce Times.

"It is unfortunate that Google has gone ahead with the new policy before addressing the French data protection authority's concerns," Reding continued. "All companies that offer services to European consumers must provide their customers with clear information about their privacy policy. In Europe, consumers must be able to make informed decisions about using Internet-based services."

The Next Steps

At present, it appears that neither side is about to back down. Over the past month, Google has requested to meet with the CNIL, but its offer has not been accepted.

For now, Google maintains that it has provided a policy that meets the Working Party's recommendations, while still providing wide-ranging information to its users.

Google is confident that its new privacy policy respects all European data protection laws and principles, while providing all the information required in Articles 10 & 11 of the directive, according to a statement provided to the E-Commerce Times by spokesperson Christine Chen.

Its policy follows the guidelines published by the Article 29 Working Party in 2004, Google said.

However, there are still concerns that this is not enough.

"The French data protection authority said that it has 'strong doubts' that Google's privacy policy is in conformity with EU laws," European Union spokesperson Matthew Newman told the E-Commerce Times. "The authority wants Google to respond to these concerns. There may be the possibility of fines if Google is found to violate the EU Data Protection Directive."

The enforcement of EU data protection rules is decentralized, Newman noted, adding that "it's up to the national data protection authorities to ensure that companies follow the rules. The Commission cannot take action against individual companies."

Action and Reaction

There is a perception that the EU bodies have been late to respond by waiting until the day the privacy changes go live, Forrester Research analyst Anthony Mullen told the E-Commerce Times.

"The issue with the EU at present is that there are two 'privacy trains' running," he explained. "The first is the EU Cookie Directive, which does not have teeth given it's a) EU only and willfully ignorant of how data moves between borders on the Web; b) predicated on a specific technology, i.e., cookies; and c) a directive -- meaning it's verging on advice rather than hard-and-fast law. This is why is the directive has mostly been ignored by most companies outside of regulated industries. The second train running is the Data Protection Act, which does indeed have teeth but was recently revised in January."

With respect to data transparency, the Google Dashboard is better than anything in the industry for playing back to customers what data is held about them, Mullen added -- Microsoft, Yahoo and the telecom companies don't come close to such transparency.

"If Google was a public service, which we sometimes imagine them to be, then the taxpayers would want them to be efficient and to consolidate and remove duplication," he said.

"Yes, it has a business benefit for Google," Mullen acknowledged, "but hobbling Google by asking them to run two sets of architectures for their business -- old privacy/data management setup and the new one, streamlines -- shows a lack of understanding about how services and technology [are] constructed."